RE: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()

From:	François Laupretre	Date:	Thu, 05 Feb 2015 09:33:34 +0000
Subject:	RE: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
References:	1 2 3 4	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

> De : [email protected] [mailto:[email protected]] De la part de Yasuo Ohgaki
> How about alternative way that turn 'require' into non embedded mode by INI switch?

A big NO for me, as I am using 'include/require' in a lot of programs to include template
files containing mixed text/php contents. And I'm probably not the only one.

Another reason is, like Adam, that I don't want another INI switch to change the interpreter
behavior. When releasing a program, documenting and debugging ini switch dependencies is a
nightmare. Even adding an 'extension=' line is a problem for many final users. So, please
don't add another ini switch.

I am not opposed to the first option, while I don't really see the 'extremely severe
security breach' brought by authorizing mixed text/php-code contents. Do you mean that
including a forged path will release confidential file contents ? Well, that's right, but
chroot exists, and I would prefer a way to ensure the forged path is detected as such and rejected
by the include statement. Something like tainting (a good candidate for inclusion in PHP 7, even if
it requires more work).

Cheers

François





   

Thread (31 messages)

• Yasuo OhgakiThu, 05 Feb 2015 01:53:10 +0000
  • Yasuo OhgakiThu, 05 Feb 2015 02:03:46 +0000Re: [RFC][DISCUSSION] script() and script_once()
    • reezeThu, 05 Feb 2015 04:38:13 +0000Re: Re: [RFC][DISCUSSION] script() and script_once()
      • Yasuo OhgakiThu, 05 Feb 2015 05:06:45 +0000
        • Adam HarveyThu, 05 Feb 2015 05:37:15 +0000
          • LeighThu, 05 Feb 2015 08:31:38 +0000
            • Yasuo OhgakiThu, 05 Feb 2015 10:20:53 +0000
              • Pierre JoyeThu, 05 Feb 2015 10:24:41 +0000
                • Yasuo OhgakiThu, 05 Feb 2015 10:47:05 +0000
                  • Pierre JoyeThu, 05 Feb 2015 11:49:20 +0000
                    • Yasuo OhgakiFri, 06 Feb 2015 01:25:43 +0000
                      • Pierre JoyeFri, 06 Feb 2015 01:39:06 +0000
                        • Yasuo OhgakiFri, 06 Feb 2015 02:07:39 +0000
                          • Pierre JoyeFri, 06 Feb 2015 02:13:13 +0000
                            • Yasuo OhgakiFri, 06 Feb 2015 03:33:29 +0000
                              • Pierre JoyeFri, 06 Feb 2015 03:40:55 +0000
                                • Yasuo OhgakiFri, 06 Feb 2015 04:08:46 +0000
                                  • Pierre JoyeFri, 06 Feb 2015 04:16:29 +0000
                                    • Yasuo OhgakiFri, 06 Feb 2015 04:35:11 +0000
                                      • Yasuo OhgakiFri, 06 Feb 2015 04:50:20 +0000
                                      • Pierre JoyeFri, 06 Feb 2015 04:52:44 +0000
                                        • Yasuo OhgakiFri, 06 Feb 2015 05:01:44 +0000
                                          • Lester CaineFri, 06 Feb 2015 08:30:15 +0000
                                            • Yasuo OhgakiFri, 06 Feb 2015 10:11:33 +0000
                • LeighThu, 05 Feb 2015 10:51:42 +0000
                  • Yasuo OhgakiThu, 05 Feb 2015 10:56:57 +0000
                • Yasuo OhgakiThu, 05 Feb 2015 10:52:04 +0000
        • François LaupretreThu, 05 Feb 2015 09:33:34 +0000RE: [PHP-DEV] Re: [RFC][DISCUSSION] script() and script_once()
  • Pierre JoyeThu, 05 Feb 2015 06:05:40 +0000
    • Martin KeckeisThu, 05 Feb 2015 08:55:48 +0000
  • Michael WallnerThu, 05 Feb 2015 09:47:32 +0000